On April 18, 2017, the state of Washington passed House Bill 1493 (“HB 1493”), which sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes. Under HB 1493, a biometric identifier includes a fingerprint, voiceprint, retina, iris or other unique biological pattern or characteristic used to identify a specific individual. Commercial use includes “a purpose in furtherance of the sale or disclosure to a third party for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual’s biometric identifier.” This bill comes after several other states have passed similar legislation regulating the commercial use of biometric identifiers, including the Illinois Biometric Information Privacy Act (740 ILCS 14) (“BIPA”) and the Texas Statute on the Capture or Use of Biometric Identifier (Tex. Bus. & Com. Code Ann. §503.001).
Unlike the Illinois and Texas statutes, HB 1493 does not create a private right of action to allow for suits by individual plaintiffs. Instead, only the Attorney General can enforce the rules. The decision not to allow private lawsuits under HB 1493 may be a reaction to the high-profile class action claims brought under BIPA against Facebook and L.A. Tan.
In a settlement last year, L.A. Tan paid $1.5 million to settle class action claims under BIPA after plaintiffs alleged that L.A. Tan’s practice of using fingerprint scans to identify its customers violated the statute because L.A. Tan did not get written consent for the scans, failed to inform its customers of its retention policy and disclosed the data to a third party. According to the settlement, L.A. Tan denied the allegations but agreed to comply with BIPA in the future.
In 2015, multiple plaintiffs brought suits against Facebook, alleging that Facebook’s tag-suggestion feature – which uses facial recognition software to make it easier to “tag” or link photos to friends’ profiles – violated BIPA because it collected users’ facial features without first obtaining proper consent. Those cases were consolidated in the United States District Court for the Northern District of California in In re Facebook Biometric Information Privacy Litigation, 3:15-cv-03747 (Aug. 2015) and are currently stayed pending the Ninth Circuit’s review of Robins v. Spokeo, Case No. 11-56843 (9th Cir.) [Dkt. 108]. Spokeo is being reheard and reconsidered by the Ninth Circuit after remand from the Supreme Court. Spokeo addresses whether a Plaintiff has Article III standing to bring a claim simply by alleging a statutory violation, or whether and to what extent it must also allege particularized injury. The Ninth Circuit’s decision on remand will inform whether In re Facebook goes forward since the Facebook plaintiffs’ allegations are primarily based on technical violations of BIPA, and not individual harm.
As the commercial use of biometric identifiers becomes more commonplace (for example, the iPhone’s fingerprint authentication for Apple Pay), retailers should be mindful of the developments in state legislation that regulate commercial use and storage of biometric data, as the regulatory landscape is rapidly evolving and is inconsistent from state to state. The Washington, Texas and Illinois statutes differ in important ways. For example, while the Washington bill creates a carve out for use of biometric identifiers for security purposes while the Texas and Illinois statutes do not. Therefore, a retailer using video surveillance with facial recognition capabilities to identify shoplifters would have different obligations for gaining consent for the capture in Illinois than in Washington. Whenever using or considering use of technology that captures biometric data, companies should be advised that such use is regulated, and consult the requirements of the state statutes where they operate. Hunton & Williams has compiled a 50 state survey of relevant laws and continues to monitor for passage of relevant new legislation.